Fake Google Play Site Leads To Rogue .APK App

The Android Market was just recently renamed to Google Play and yet there are already cybercriminals taking advantage of this. We’ve spotted newly created domains that imitate the Google Play site and contain malicious apps.

The malicious URL http://{BLOCKED}ay-google.ru displays a fake Russian Google Play site. When translated to English, the text reads: “ Download Google Play for Android Google Play is formerly known as the android market but now a vast and influential old android market combined with a store of books google ebookstore multi-format films and world music google music.”

Upon trying to select the clickable images in the site, I was led to another malicious Russian domain that offers suspicious Android apps. I tried to download the Google Play application, google-play.apk, from the URL http://{BLOCKED}ay-google.ru but it just points to malicious file detected as ANDROIDOS_SMSBOXER.AB. This leads to another malicious URL, http://{BLOCKED}-api.ru.

ANDROIDOS_SMSBOXER.AB is a premium abuser type of mobile malware. Such malware subscribes affected devices to premium services without the permission of the user, thus leading to unwanted charges.

This particular malware is very similar to ANDROIDOS_OPFAKE.SME — an Android malware that made news last month for its ability to polymorph. However, similar to ANDROIDOS_OPFAKE.SME, the server that hosts ANDROIDOS_SMSBOXER.AB simply inserts unnecessary files into the APK in order to evade detection. According to Threats Analyst Kervin Alintanahin, the said routine technically can not be considered polymorphic behavior, especially since no significant change is done to the APK’s source code. Due to this, security software can still easily detect the malicious files.

Aside from detecting the malicious .APK files, all of the related malicious URLs are already blocked through the Trend Micro Smart Protection Network. Trend Micro customers need not worry as ANDROIDOS_ SMSBOXER.AB is currently detected by Trend Micro Mobile App Reputation.

If anything, this attack shows just how quick cybercriminals can adapt to the fast-changing mobile landscape. Users are strongly advised to practice extreme caution when dealing with apps and app stores in general. For more information on mobile threats, please check our Mobile Threat Information Hub.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:

Security Predictions for 2018

Attackers are banking on network vulnerabilities and inherent weaknesses to facilitate massive malware attacks, IoT hacks, and operational disruptions. The ever-shifting threats and increasingly expanding attack surface will challenge users and enterprises to catch up with their security.Read our security predictions for 2018.

Business Process Compromise

Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more,
read our Security 101: Business Process Compromise.